p256/arithmetic/scalar/
blinded.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
//! Random blinding support for [`Scalar`]

// TODO(tarcieri): make this generic (along with `Scalar::invert_vartime`)
// and extract it into the `elliptic-curve` crate so it can be reused across curves

use super::Scalar;
use core::borrow::Borrow;
use elliptic_curve::{
    group::ff::Field,
    ops::Invert,
    rand_core::{CryptoRng, RngCore},
    subtle::CtOption,
    zeroize::Zeroize,
};

/// Scalar blinded with a randomly generated masking value.
///
/// This provides a randomly blinded impl of [`Invert`] which is useful for
/// ECDSA ephemeral (`k`) scalars.
#[derive(Clone)]
#[cfg_attr(docsrs, doc(cfg(feature = "arithmetic")))]
pub struct BlindedScalar {
    /// Actual scalar value
    scalar: Scalar,

    /// Mask value
    mask: Scalar,
}

impl BlindedScalar {
    /// Create a new [`BlindedScalar`] from a scalar and a [`CryptoRng`]
    pub fn new(scalar: Scalar, rng: impl CryptoRng + RngCore) -> Self {
        Self {
            scalar,
            mask: Scalar::random(rng),
        }
    }
}

impl Borrow<Scalar> for BlindedScalar {
    fn borrow(&self) -> &Scalar {
        &self.scalar
    }
}

impl Invert for BlindedScalar {
    type Output = CtOption<Scalar>;

    fn invert(&self) -> CtOption<Scalar> {
        // prevent side channel analysis of scalar inversion by pre-and-post-multiplying
        // with the random masking scalar
        (self.scalar * self.mask)
            .invert_vartime()
            .map(|s| s * self.mask)
    }
}

impl Zeroize for BlindedScalar {
    fn zeroize(&mut self) {
        self.scalar.zeroize();
        self.mask.zeroize();
    }
}

impl Drop for BlindedScalar {
    fn drop(&mut self) {
        self.zeroize();
    }
}